In A World Of Their Own

It is mid afternoon during the Edinburgh Festival on the fast train from Glasgow to Edinburgh. There are a few seats still free for passengers joining at Falkirk, but none of the nice ones with a table or leg room. At one table a man is sitting with his festival programme open across a table having an intense discussion on his mobile phone with the festival box office, with the obvious intent of booking in advance and therefore missing the expected queues.

There is negotiation, there always is, especially if you don’t know the city and you want to move between venues in time to make the events. And finally there was purchasing.  Well you knew there would be.  It was inevitable. From the moment that call started it was clear that the caller was going to do it.  He slowly and clearly gave all his personal details and then read out the numbers on the card.  Anyone who was interested had a pen and paper – or just their mobile device – poised ready for the information.

Now everyone in that carriage potentially had the equivalent of a copy of his credit card, and he had no idea.  If he did find later that his card had been ‘used’ he would put it down to somebody at the pub where he had lunch.  After all, it couldn’t have been his fault.

Most of us, at one time or another, have witnessed the leakage of information like that.  Whether by phone, by the display of papers or computer screens; or by face-to-face meetings in a public place so clear they that are hard to miss.  We know this happens, people email me with examples nearly every day, and yet it remains the least acknowledged of information security vulnerabilities.

My main concern about the example above is that the purchaser is being so care-free with his own personal information that makes his own finances vulnerable.  If he takes so little care of that, how can we hope to help him, or anyone, take care of sensitive business information.

Is there a real business risk?

Yes. Although I take great care in not to collect the details of a data leak, I have enough examples of information gathered to indicate that sensitive data is there to be collected if you know where to look.  Also, I find that business people know where the ‘hot spots’ are, where the most interesting information can be found, these include:

• The Executive Lounge at an airport.  Key times are first thing in the morning and around 5pm.
• Trains – especially where people can sit at a table
• Coffee shops and other hostelries close to a key organisation- especially at Friday lunchtime.
• Taxis – At least taxi drivers tell me so.

Why do they do this?

There has been a lot of research conducted which, though not directly in this area, does inform our understanding.  The interesting one, at work at the moment, is looking at ‘Situational Awareness’, that is: the extent that we are aware of our surroundings if we are concentrating on something else.

Insurance companies such as the Automobile Association in the UK, have given much attention to the growing number of incidents that arise from the inattention of pedestrians; talking on their mobile phones, texting and listening to music devices such as the iPod.  They call this ‘iPod Oblivion’

5 reasons why people are careless with information in public

• Situational Awareness
• Organisational Pressure to work anywhere and everywhere.
• Flawed Risk assessment based on poor awareness of both sensitivity and threat.
• Mistake – the phone rings and it is answered without thought.
• Display behaviour – Those who wish to enhance the appearance of their importance by conducting seemingly significant business where they will be noticed.

I have called this phenomenon, typified by a lack of awareness of surroundings while working, the ‘Virtual Booth’ because it is a zone where awareness of information interception is dampened.  The dimensions of the zone will vary on the situation and the people around you as well as what you are doing.

If you are trying to order a secret present for your beloved you will be much more vigilant of their every move around your screen, than if you are both conducting mundane business transactions. Whatever the size or shape, the problem most definitely exists; making a bad risk decision, when working in public, has never been easier.

What can be done?

Indiscretion is part and parcel of communication; it didn’t arrive with technology any more than the need for the security of information grew from the invention of the computer. Stopping people leaking information is hard and challenged governments even during the Second World War. Any organisation you work with has a smaller budget for dealing with the problem, and probably a smaller commitment to doing so too.

A Lesson Learnt:  The Awareness Re-enforcement Loop

One of the most surprising findings of my research  so far has come from talking to those people who participated in stage one of my observation work.  They reported that, in looking out for insecure working from others, they have become more aware of where, and what, they were working on in public.

I am not suggesting that you start a witch hunt, but why not ask staff to look out for examples as they travel, and then discuss them.  That is not expensive, possibly even free, and requires just a small investment in discussion time. However it taps into those two great resources, the desire to tell stories and the love of learning from the silly mistakes of others.

Wendy Goucher is a security empowerment consultant with Idrach Limited and she is presenting on The Virtual Booth: Data Leakage by Human Means at ISACA’s EuroCACS conference, 20-23 March 2011, Manchester, UK (www.isaca.org/eurocacs)